With the recent changes it seems that SameSite cookie attributes are throwing a wrench into my website now. A cross-browser iframe that was working before on my site is now broken - even with the SameSite=None; Secure being passed through the iFrame in the response header.
I've seen very different reports from people saying Windows 7 doesn't support SameSite=none. Others saying the Secure is breaking or not breaking it. But even the current Microsoft documentation doesn't lay out exactly how Win7 IE11 should react to SameSite=None.
At this point I'm looking for some tips or tricks from anyone who could assist. I've done everything I can think of. This worked before and now suddenly is blocking out the iFrame and throwing a 500 error. Could the order of the set-cookie be causing this?
From some browser testing I've found the following:
The Set-Cookie response header:
Set-Cookie MySitePersistence=436457226.47873.0000; path=/; httponly; secure; SameSite=none; Secure
I tried targeting IE directly as a rewrite preCondition using
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=none" negate="true" />
<add input="{HTTP_USER_AGENT}" pattern="^.*MSIE ([0-9]{1,}[\\.0-9]{0,})*.*$" negate="true" />
<add input="{HTTP_USER_AGENT}" pattern="^.*Trident/.*rv:([0-9]{1,}[\\.0-9]{0,})*.*$" negate="true" />